US9514313B2 - Techniques for secure data extraction in a virtual or cloud environment - Google Patents
Techniques for secure data extraction in a virtual or cloud environment Download PDFInfo
- Publication number
- US9514313B2 US9514313B2 US13/906,761 US201313906761A US9514313B2 US 9514313 B2 US9514313 B2 US 9514313B2 US 201313906761 A US201313906761 A US 201313906761A US 9514313 B2 US9514313 B2 US 9514313B2
- Authority
- US
- United States
- Prior art keywords
- machine
- virtual
- processing environment
- data
- virtual processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related, expires
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Definitions
- a traditional computing environment includes a variety of security controls, which are noticeably absent from virtual/cloud environments, such as access controls identified as file permissions to protect sensitive data.
- Hardware specific encryption is even used to sometimes encrypt all data on a particular storage device.
- Various embodiments of the invention provide techniques for secure data extraction in a virtual or cloud environment.
- a method for extracting and securing data from a virtual environment is presented.
- an encryption key that is tailored for a virtual processing environment is acquired.
- selective data to extract from the virtual processing environment is identified.
- the selective data is encrypted with the encryption key.
- FIG. 1 is a diagram of a method for extracting and securing data from a virtual environment, according to an example embodiment presented herein.
- FIG. 2 is a diagram of another method for extracting and securing data from a virtual environment, according to an example embodiment.
- FIG. 3 is a diagram of a secure virtual data extraction system, according to an embodiment.
- a “resource” includes a user, service, system, device, directory, data store, groups of users, a Virtual Machine (VM), a cloud, combinations and/or collections of these things, etc.
- a “principal” is a specific type of resource, such as an automated service or user that at one time or another is an actor on another principal or another type of resource.
- a designation as to what is a resource and what is a principal can change depending upon the context of any given network transaction. Thus, if one resource attempts to access another resource, the actor of the transaction may be viewed as a principal.
- Resources can acquire and be associated with unique identities to identify unique resources during network transactions.
- An “identity” is something that is formulated from one or more identifiers and secrets that provide a statement of roles and/or permissions that the identity has in relation to resources.
- An “identifier” is information, which may be private and permits an identity to be formed, and some portions of an identifier may be public information, such as a user identifier, name, etc. Some examples of identifiers include social security number (SSN), user identifier and password pair, account number, retina scan, fingerprint, face scan, etc.
- SSN social security number
- password password
- a “processing environment” defines a set of cooperating computing resources, such as machines (processor and memory-enabled devices), storage, software libraries, software systems, etc. that form a logical computing infrastructure.
- a “logical computing infrastructure” means that computing resources can be geographically distributed across a network, such as the Internet. So, one computing resource at network site X and be logically combined with another computing resource at network site Y to form a logical processing environment.
- processing environment may be used interchangeably and synonymously herein.
- the techniques presented herein are implemented in machines, such as processor or processor-enabled devices (hardware processors). These machines are configured and the memories programmed to specifically perform the processing of the methods and systems presented herein. Moreover, the methods and systems are implemented and reside within memory and/or a non-transitory computer-readable storage media or machine-readable storage medium and are processed on the machines configured to perform the methods.
- FIG. 1 is a diagram of a method 100 for extracting and securing data from a virtual environment, according to an example embodiment presented herein.
- the method 100 (herein after referred to as “virtual data extractor”) is implemented, programmed, and resides within memory and/or a non-transitory machine-readable storage medium that executes on one or more processors of a device and is operational over a network.
- the network may be wired, wireless, or a combination of wired and wireless.
- the virtual data extractor is implemented as part of the Input/Output (I/O) control mechanisms for a virtual environment (VM or cloud).
- I/O control mechanisms are available to initially startup and instantiate the virtual environment as well.
- parts of the virtual data extractor may also be associated with a distributor mechanism for the virtual environment.
- the embodiments presented allows for the extraction of information from a virtual environment and subsequent custom encryption. Extraction can be achieved in a variety of ways, such as but not limited to, a binary difference calculation from a known state of the virtual environment.
- Company A wants to use a cloud to perform customer trend analysis. In order to do this, A uploads the corporate analysis environment and its customer data to a web site. While the general environment is pretty much public information, the corporate analysis environment may be classified as being sensitive; the customer data is classified as restricted. In this scenario, Company A creates a local VM with the public information. Company A snaps an image of the initial VM (VMbase). Then, Company A finishes building up the system and generates a delta state in a separate file. The delta image is then be encrypted. When the encryption is complete, the key is also sealed (encrypted) and sent to a remote site where it is protected by a particular TPM.
- Company A sends its VMbase to a VM host machine 1.
- Company A sends its VM delta to the VM host machine 1.
- the VM host machine 1 decrypts the delta and inserts the delta information into the VMbase.
- the VM host machine 1 then loads and executes the complete VM.
- the VM host machine 1 suspends the current running instance of the VM.
- the then-existing delta state is extracted and sealed to the TPM again (again VM-running state—VMbase is the then-existing delta state).
- the delta state is then sent to a new target machine (VM target).
- the VM target then decrypts the delta with the key that was sealed in the TPM.
- VM target can also use this process to validate the origin and integrity of the delta by its ability to decrypt the data. If the delta was not able to be decrypted it means either that there was no relationship to VM target or the delta was modified in transmission (as discussed above).
- a TPM is not used; rather, a callback mechanism to get credentials for validation is integrated into the environment so as to make the system active.
- a callback mechanism to get credentials for validation is integrated into the environment so as to make the system active.
- FIG. 1 The processing of the FIG. 1 is now discussed with respect to the virtual data extractor.
- the virtual data extractor acquires an encryption key tailored or customized for a virtual processing environment (VM or cloud). Acquisition can occur in a variety of manners.
- the virtual data extractor registers the virtual processing environment to obtain the encryption key.
- the virtual data extractor registers the virtual processing environment with a local environment of the device that executes the virtual processing environment (VM host machine).
- the virtual data extractor registers the virtual processing environment with a third-party credential arbiter, such as an identity manager or authentication service. So, entities (services and devices) authenticate and are in trusted communications with the third-party credential arbiter, who provides validation and authenticate services can who delivers credentials to the entities on request, such as a custom encryption key.
- a third-party credential arbiter such as an identity manager or authentication service. So, entities (services and devices) authenticate and are in trusted communications with the third-party credential arbiter, who provides validation and authenticate services can who delivers credentials to the entities on request, such as a custom encryption key.
- the virtual data extractor obtains the encryption key from a TPM of the device that hosts the virtual processing environment.
- the virtual data extractor identifies the selective data to extract from the virtual processing environment.
- the mechanisms used to identify the selective data can vary without departing from the teachings presented herein.
- the virtual data extractor generates the selective data as a difference between a current running state of the virtual processing environment and a base image/state for the virtual processing environment (this situation was discussed in detail above as the examples that included VMbase and VM running).
- the virtual data extractor recognizes the selective data an entire image for the virtual processing environment. So, the selective data can in some instances be an entire imaged captured for the virtual processing environment (VM or cloud) at any given point in time (this situation was also discussed above).
- the virtual data extractor dynamically recognizes the selective data as the virtual processing environment processes and these situations can be based on one or more of: a policy evaluation, a specific operation being processed within the virtual processing environment, ad a type assigned to the selective data.
- the virtual data extractor encrypts the selective data with the encryption key. This encryption occurs whenever the selective data is housed on disk, streamed over a network, and the like.
- the virtual data extractor stores the encrypted selective data in a repository (on disk).
- the virtual data extractor transmits the encrypted selective data as a stream over a network to a resource.
- the virtual data extractor seals the encryption key.
- the encryption key itself is encrypted with a one or a variety of other keys/secrets.
- the virtual data extractor ties the sealed encryption key to a defined set of devices. So, a cluster of set of machines/devices can be identified as authorized to process instances of the virtual processing environment where each machine/device includes its own key or secret (in some instances this can be a public key for each machine/device) and each key or secret is used as a collection to generate a key used to encrypt (seal) the original encryption key.
- FIG. 2 is a diagram of another method 200 for extracting and securing data from a virtual environment, according to an example embodiment.
- the method 200 (herein after referred to as “VM secure data distributor”) is implemented, programmed, and resides within memory and/or a non-transitory machine-readable storage medium that executes on one or more processors of a machine and is operational over a network.
- the network may be wired, wireless, or a combination of wired and wireless.
- the VM secure data distributor is presented from the perspective of a VM migration and/or instantiation mechanism for the virtual data extractor (discussed above with reference to the FIG. 1 ). That is, the virtual data extractor focuses on securely extracting and packaging either an entire VM or selected data associated with a VM (such as but not limited to a VM delta (as discussed above with the FIG. 1 )) whereas the VM secure data distributor focuses on distributing and/or validating the extracted and packaged VM or selected extracted VM-sensitive data.
- the VM secure data distributor transmits a base image of a virtual processing environment to a target machine (such as a VM target machine or environment).
- the VM secure data distributor identifies the target machine in response to an authorized cluster of machines that includes the target machine.
- the VM secure data distributor decides to transmit the base image to the target machine in response to a dynamically evaluated policy.
- the VM secure data distributor communicates selective encrypted data tied to a given state for the base image to the target machine.
- the VM secure data distributor instructs a running image of the virtual processing environment to validate, decrypt, and integrate the selective encrypted data into the running image.
- the VM secure data distributor directs the running image to a third-party credential arbiter to assist in validating the selective encrypted data.
- the VM secure data distributor directs the running image to use a sealed TPM key to validate the selective encrypted data.
- FIG. 3 is a diagram of a secure virtual data extraction system 300 , according to an embodiment.
- the components of the secure virtual data extraction system 300 are implemented as executable instructions that reside within memory and/or non-transitory computer-readable storage media and those instructions are executed by one or more devices.
- the components and the devices are operational over a network and the network can be wired, wireless, or a combination of wired and wireless.
- the secure virtual data extraction system 300 implements, inter alia, the features of the FIGS. 1-2 .
- the secure virtual data extraction system 300 includes a virtual data extractor 301 and a VM secure data distributor. Each of these will be discussed in turn.
- the secure virtual data extraction system 300 includes a machine having memory configured with the virtual data extractor 301 .
- Example processing associated with the virtual data extractor 301 was presented above in detail with reference to the FIG. 1 .
- the virtual data extractor 301 interacts with instances of the VM secure data distributor 302 (described above with reference to the FIGS. 1-2 ).
- the virtual data extractor 301 is configured to selectively identify, extract, and encrypt data associated with a VM. The manner in which the data can be identified was presented above with respect to the FIG. 1 . Moreover, the types of encryption can be customized and based on a TPM key or other custom encryption keys.
- the virtual data extractor 301 is integrated into a base image associated with the VM.
- the secure virtual data extraction system 300 includes a same machine (as what was used with the virtual data extractor 301 ) or a different machine having memory configured with the VM secure data distributor 302 .
- Example processing associated with the VM secure data distributor 302 was presented above in detail with reference to the FIGS. 1-2 and more particularly with the FIG. 2 .
- the VM secure data distributor 302 is configured to deliver the encrypted data to a target machine that is to run an instance of the VM and instruct the target machine to validate, decrypt, and integrate the encrypted data within the instance. Some example mechanisms to validate and decrypted the instance was presented above with respect to the FIG. 1 .
- the encrypted data is encrypted with a key that is tied to a configuration of the target machine. So, the encryption can be tied to a TPM based solution or tied to a specific machine configuration.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Description
-
- Register VM host machine with a local user environment (get a Trusted-Platform Module (TPM) key from VM Host Machine);
- Set up VMbase (VM initial image);
- Save VMbase;
- Execute programs during operation of the VMbase;
- Save a delta state (current VM-running state—VMbase) to a separate file;
- Encrypt the delta state; and
- Seal the key to a particular group of machines (using a TPM key) (cluster definition). This can include using a particular state of the machine(s) as well as a TPM device key.
On Startup - Send the VMbase to a VM host machine;
- Send the delta state to VM host machine;
- Cloud software attempts to decrypt the delta state information with the key (the key is from the TPM that was sealed);
- The un-encrypted delta state is injected into the VMbase to create a VM-running instance; and
- VM-running is instantiated.
On Migration: - Save the delta state (a current VM-running state—minus the VMbase) to a separate file;
- Encrypt the delta state with the associated TPM key;
- Send the VMbase to a VM new host machine;
- Send the delta state to the VM new host machine (is part of the TPM ‘cluster’ of machines permitted to access the VM); and
- Follow “On Startup” procedures thereafter.
-
- VM host new—attempts to decrypt the delta state;
- Failure is detected:
- means that the VM host new is not part of a VM TPM group; and/or
- means that that VM the delta was modified in transmission;
- Success is detected:
- means that the VM host new is authorized for access; and
- means that the VM delta was not modified in transmission.
-
- Register a third party arbitrator with a VM host (and generate a bound token on registration);
- Setup a VMbase;
- Save the VMbase;
- Execute programs during normal operation of the VM associated with the VMbase;
- Save the then-existing VM; and
- Encrypt the then-existing VM with the bound token for the third party.
On Startup - Send the VM to a VM host machine;
- The VM host machine queries the third party arbitrator;
- The third party arbitrator authenticates the VM host machine;
- If the VM host machine is successfully authenticated, then the third party arbitrator sends the key forward to the VM host machine;
- The VM host machine decrypts the VM; and
- The VM host machine runs the VM.
On Migration: - Hibernate a VM;
- Encrypt the VM with the third party arbitrator key;
- Migrate the VM to a new target VM; and
- The target VM follows the “On Startup” process.
Claims (15)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/906,761 US9514313B2 (en) | 2013-03-15 | 2013-05-31 | Techniques for secure data extraction in a virtual or cloud environment |
US15/368,904 US10454902B2 (en) | 2013-03-15 | 2016-12-05 | Techniques for secure data extraction in a virtual or cloud environment |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201361788671P | 2013-03-15 | 2013-03-15 | |
US13/906,761 US9514313B2 (en) | 2013-03-15 | 2013-05-31 | Techniques for secure data extraction in a virtual or cloud environment |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/368,904 Continuation US10454902B2 (en) | 2013-03-15 | 2016-12-05 | Techniques for secure data extraction in a virtual or cloud environment |
Publications (2)
Publication Number | Publication Date |
---|---|
US20140281509A1 US20140281509A1 (en) | 2014-09-18 |
US9514313B2 true US9514313B2 (en) | 2016-12-06 |
Family
ID=51534046
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/906,761 Expired - Fee Related US9514313B2 (en) | 2013-03-15 | 2013-05-31 | Techniques for secure data extraction in a virtual or cloud environment |
US15/368,904 Active US10454902B2 (en) | 2013-03-15 | 2016-12-05 | Techniques for secure data extraction in a virtual or cloud environment |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/368,904 Active US10454902B2 (en) | 2013-03-15 | 2016-12-05 | Techniques for secure data extraction in a virtual or cloud environment |
Country Status (1)
Country | Link |
---|---|
US (2) | US9514313B2 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150244716A1 (en) * | 2014-02-24 | 2015-08-27 | Amazon Technologies, Inc. | Securing client-specified credentials at cryptograpically attested resources |
US20170180331A1 (en) * | 2013-03-15 | 2017-06-22 | Netiq Corporation | Techniques for secure data extraction in a virtual or cloud environment |
US10534921B2 (en) | 2017-08-23 | 2020-01-14 | Red Hat, Inc. | Copy and decrypt support for encrypted virtual machines |
US10860359B2 (en) * | 2018-02-28 | 2020-12-08 | Red Hat, Inc. | Key management for encrypted virtual machines |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9792448B2 (en) | 2014-02-28 | 2017-10-17 | Advanced Micro Devices, Inc. | Cryptographic protection of information in a processing system |
DK3127300T3 (en) * | 2014-05-12 | 2019-10-07 | Google Llc | Managing nic-encrypted flows to migrate guests or tasks |
US10594484B2 (en) | 2015-02-13 | 2020-03-17 | Yoti Holding Limited | Digital identity system |
US9858408B2 (en) * | 2015-02-13 | 2018-01-02 | Yoti Holding Limited | Digital identity system |
US10853592B2 (en) | 2015-02-13 | 2020-12-01 | Yoti Holding Limited | Digital identity system |
US10692085B2 (en) | 2015-02-13 | 2020-06-23 | Yoti Holding Limited | Secure electronic payment |
US9785764B2 (en) | 2015-02-13 | 2017-10-10 | Yoti Ltd | Digital identity |
CN104866750B (en) * | 2015-03-31 | 2018-06-12 | 小米科技有限责任公司 | Using startup method and apparatus |
US20170277898A1 (en) * | 2016-03-25 | 2017-09-28 | Advanced Micro Devices, Inc. | Key management for secure memory address spaces |
CN105912913A (en) * | 2016-05-25 | 2016-08-31 | 深圳天珑无线科技有限公司 | Information processing method of terminal with touch-sensitive display, and terminal |
EP3516573A1 (en) | 2016-09-22 | 2019-07-31 | Telefonaktiebolaget LM Ericsson (PUBL) | Version control for trusted computing |
US11256606B2 (en) | 2016-11-04 | 2022-02-22 | Salesforce.Com, Inc. | Declarative signup for ephemeral organization structures in a multitenant environment |
US10783235B1 (en) * | 2017-05-04 | 2020-09-22 | Amazon Technologies, Inc. | Secure remote access of computing resources |
CN107483187A (en) * | 2017-08-02 | 2017-12-15 | 浪潮(北京)电子信息产业有限公司 | A kind of data guard method and device based on credible password module |
US11010481B2 (en) * | 2018-07-31 | 2021-05-18 | Salesforce.Com, Inc. | Systems and methods for secure data transfer between entities in a multi-user on-demand computing environment |
US11010272B2 (en) * | 2018-07-31 | 2021-05-18 | Salesforce.Com, Inc. | Systems and methods for secure data transfer between entities in a multi-user on-demand computing environment |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090172781A1 (en) * | 2007-12-20 | 2009-07-02 | Fujitsu Limited | Trusted virtual machine as a client |
US20090282266A1 (en) * | 2008-05-08 | 2009-11-12 | Microsoft Corporation | Corralling Virtual Machines With Encryption Keys |
US7987497B1 (en) | 2004-03-05 | 2011-07-26 | Microsoft Corporation | Systems and methods for data encryption using plugins within virtual systems and subsystems |
US20110302415A1 (en) * | 2010-06-02 | 2011-12-08 | Vmware, Inc. | Securing customer virtual machines in a multi-tenant cloud |
US20120216052A1 (en) * | 2011-01-11 | 2012-08-23 | Safenet, Inc. | Efficient volume encryption |
US20130086383A1 (en) * | 2011-10-04 | 2013-04-04 | International Business Machines Corporation | Virtual machine images encryption using trusted computing group sealing |
US20130097296A1 (en) * | 2011-10-18 | 2013-04-18 | Telefonaktiebolaget L M Ericsson (Publ) | Secure cloud-based virtual machine migration |
US20140130040A1 (en) * | 2012-11-02 | 2014-05-08 | The Boeing Company | Systems and methods for migrating virtual machines |
US20140201533A1 (en) * | 2012-10-29 | 2014-07-17 | Empire Technology Development Llc | Quorum-based virtual machine security |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8225314B2 (en) * | 2006-03-31 | 2012-07-17 | Intel Corporation | Support for personal computing in a public computing infrastructure by using a single VM delta image for each VM base image utilized by a user |
US9361089B2 (en) * | 2008-07-22 | 2016-06-07 | International Business Machines Corporation | Secure patch updates of a virtual machine image in a virtualization data processing system |
US9110727B2 (en) * | 2010-10-05 | 2015-08-18 | Unisys Corporation | Automatic replication of virtual machines |
US9514313B2 (en) | 2013-03-15 | 2016-12-06 | Netiq Corporation | Techniques for secure data extraction in a virtual or cloud environment |
-
2013
- 2013-05-31 US US13/906,761 patent/US9514313B2/en not_active Expired - Fee Related
-
2016
- 2016-12-05 US US15/368,904 patent/US10454902B2/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7987497B1 (en) | 2004-03-05 | 2011-07-26 | Microsoft Corporation | Systems and methods for data encryption using plugins within virtual systems and subsystems |
US20090172781A1 (en) * | 2007-12-20 | 2009-07-02 | Fujitsu Limited | Trusted virtual machine as a client |
US20090282266A1 (en) * | 2008-05-08 | 2009-11-12 | Microsoft Corporation | Corralling Virtual Machines With Encryption Keys |
US8364983B2 (en) | 2008-05-08 | 2013-01-29 | Microsoft Corporation | Corralling virtual machines with encryption keys |
US20110302415A1 (en) * | 2010-06-02 | 2011-12-08 | Vmware, Inc. | Securing customer virtual machines in a multi-tenant cloud |
US20120216052A1 (en) * | 2011-01-11 | 2012-08-23 | Safenet, Inc. | Efficient volume encryption |
US20130086383A1 (en) * | 2011-10-04 | 2013-04-04 | International Business Machines Corporation | Virtual machine images encryption using trusted computing group sealing |
US20130097296A1 (en) * | 2011-10-18 | 2013-04-18 | Telefonaktiebolaget L M Ericsson (Publ) | Secure cloud-based virtual machine migration |
US20140201533A1 (en) * | 2012-10-29 | 2014-07-17 | Empire Technology Development Llc | Quorum-based virtual machine security |
US20140130040A1 (en) * | 2012-11-02 | 2014-05-08 | The Boeing Company | Systems and methods for migrating virtual machines |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170180331A1 (en) * | 2013-03-15 | 2017-06-22 | Netiq Corporation | Techniques for secure data extraction in a virtual or cloud environment |
US10454902B2 (en) * | 2013-03-15 | 2019-10-22 | Netiq Corporation | Techniques for secure data extraction in a virtual or cloud environment |
US20150244716A1 (en) * | 2014-02-24 | 2015-08-27 | Amazon Technologies, Inc. | Securing client-specified credentials at cryptograpically attested resources |
US10389709B2 (en) * | 2014-02-24 | 2019-08-20 | Amazon Technologies, Inc. | Securing client-specified credentials at cryptographically attested resources |
US10534921B2 (en) | 2017-08-23 | 2020-01-14 | Red Hat, Inc. | Copy and decrypt support for encrypted virtual machines |
US10860359B2 (en) * | 2018-02-28 | 2020-12-08 | Red Hat, Inc. | Key management for encrypted virtual machines |
Also Published As
Publication number | Publication date |
---|---|
US10454902B2 (en) | 2019-10-22 |
US20170180331A1 (en) | 2017-06-22 |
US20140281509A1 (en) | 2014-09-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10454902B2 (en) | Techniques for secure data extraction in a virtual or cloud environment | |
RU2756048C2 (en) | Addressing trusted execution environment using encryption key | |
US10462114B2 (en) | System and associated software for providing advanced data protections in a defense-in-depth system by integrating multi-factor authentication with cryptographic offloading | |
EP3014847B1 (en) | Secure hybrid file-sharing system | |
CN107820604B (en) | Para-virtualized security threat protection for computer driven systems with networked devices | |
US9698988B2 (en) | Management control method, apparatus, and system for virtual machine | |
US9846778B1 (en) | Encrypted boot volume access in resource-on-demand environments | |
US8312272B1 (en) | Secure authentication token management | |
WO2022073264A1 (en) | Systems and methods for secure and fast machine learning inference in trusted execution environment | |
EP2755162B1 (en) | Identity controlled data center | |
US9961048B2 (en) | System and associated software for providing advanced data protections in a defense-in-depth system by integrating multi-factor authentication with cryptographic offloading | |
US10083128B2 (en) | Generating memory dumps | |
US11626976B2 (en) | Information processing system, information processing device, information processing method and information processing program | |
WO2019007028A1 (en) | Authentication protection system and method based on trusted environment, and storage medium | |
US11288381B2 (en) | Calculation device, calculation method, calculation program and calculation system | |
US10178183B2 (en) | Techniques for prevent information disclosure via dynamic secure cloud resources | |
US10516655B1 (en) | Encrypted boot volume access in resource-on-demand environments | |
KR101107056B1 (en) | Method for protecting important information of virtual machine in cloud computing environment | |
US20200074066A1 (en) | Method for accessing a secure computer resource by a computer application | |
KR102631080B1 (en) | Docker image authentication apparatus and method using homomoriphic encryption | |
KR20160067547A (en) | Improved mobile trusted module-based session and key management method | |
Zhao et al. | The Mobile Terminal Security Access System Based on IPSec VPN | |
WO2015005763A1 (en) | A system and method for cloud provider to provide virtual machine subscription service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CREDIT SUISSE AG, AS COLLATERAL AGENT, NEW YORK Free format text: GRANT OF PATENT SECURITY INTEREST (SECOND LIEN);ASSIGNOR:NOVELL, INC.;REEL/FRAME:030985/0338 Effective date: 20130730 Owner name: CREDIT SUISSE AG, AS COLLATERAL AGENT, NEW YORK Free format text: GRANT OF PATENT SECURITY AGREEMENT (FIRST LIEN);ASSIGNOR:NOVELL, INC.;REEL/FRAME:030985/0319 Effective date: 20130730 |
|
AS | Assignment |
Owner name: NOVELL, INC., UTAH Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ANGELO, MICHAEL F.;BURCH, LLOYD LEON;SIGNING DATES FROM 20130530 TO 20130531;REEL/FRAME:033508/0764 |
|
AS | Assignment |
Owner name: NETIQ CORPORATION, UTAH Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NOVELL, INC.;REEL/FRAME:033553/0379 Effective date: 20140808 |
|
AS | Assignment |
Owner name: NOVELL, INC., UTAH Free format text: RELEASE OF SECURITY INTEREST RECORDED AT REEL/FRAME 030985/0338;ASSIGNOR:CREDIT SUISSE AG;REEL/FRAME:034446/0481 Effective date: 20141120 Owner name: NOVELL, INC., UTAH Free format text: RELEASE OF SECURITY INTEREST RECORDED AT REEL/FRAME 030985/0319;ASSIGNOR:CREDIT SUISSE AG;REEL/FRAME:034446/0434 Effective date: 20141120 |
|
AS | Assignment |
Owner name: BANK OF AMERICA, N.A., CALIFORNIA Free format text: SECURITY INTEREST;ASSIGNORS:MICRO FOCUS (US), INC.;BORLAND SOFTWARE CORPORATION;ATTACHMATE CORPORATION;AND OTHERS;REEL/FRAME:035656/0251 Effective date: 20141120 |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: JPMORGAN CHASE BANK, N.A., AS SUCCESSOR AGENT, NEW Free format text: NOTICE OF SUCCESSION OF AGENCY;ASSIGNOR:BANK OF AMERICA, N.A., AS PRIOR AGENT;REEL/FRAME:042388/0386 Effective date: 20170501 |
|
AS | Assignment |
Owner name: JPMORGAN CHASE BANK, N.A., DELAWARE Free format text: SECURITY INTEREST;ASSIGNORS:ATTACHMATE CORPORATION;BORLAND SOFTWARE CORPORATION;NETIQ CORPORATION;AND OTHERS;REEL/FRAME:044183/0718 Effective date: 20170901 |
|
AS | Assignment |
Owner name: JPMORGAN CHASE BANK, N.A., AS SUCCESSOR AGENT, NEW Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE TO CORRECT TYPO IN APPLICATION NUMBER 10708121 WHICH SHOULD BE 10708021 PREVIOUSLY RECORDED ON REEL 042388 FRAME 0386. ASSIGNOR(S) HEREBY CONFIRMS THE NOTICE OF SUCCESSION OF AGENCY;ASSIGNOR:BANK OF AMERICA, N.A., AS PRIOR AGENT;REEL/FRAME:048793/0832 Effective date: 20170501 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20201206 |
|
AS | Assignment |
Owner name: NETIQ CORPORATION, WASHINGTON Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399 Effective date: 20230131 Owner name: MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.), WASHINGTON Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399 Effective date: 20230131 Owner name: ATTACHMATE CORPORATION, WASHINGTON Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399 Effective date: 20230131 Owner name: SERENA SOFTWARE, INC, CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399 Effective date: 20230131 Owner name: MICRO FOCUS (US), INC., MARYLAND Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399 Effective date: 20230131 Owner name: BORLAND SOFTWARE CORPORATION, MARYLAND Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399 Effective date: 20230131 Owner name: MICRO FOCUS LLC (F/K/A ENTIT SOFTWARE LLC), CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399 Effective date: 20230131 Owner name: MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.), WASHINGTON Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 035656/0251;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062623/0009 Effective date: 20230131 Owner name: MICRO FOCUS (US), INC., MARYLAND Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 035656/0251;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062623/0009 Effective date: 20230131 Owner name: NETIQ CORPORATION, WASHINGTON Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 035656/0251;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062623/0009 Effective date: 20230131 Owner name: ATTACHMATE CORPORATION, WASHINGTON Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 035656/0251;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062623/0009 Effective date: 20230131 Owner name: BORLAND SOFTWARE CORPORATION, MARYLAND Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 035656/0251;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062623/0009 Effective date: 20230131 |